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Abstract. In this paper we prove some divisibility properties of the cardinal- 
ity of elliptic curves modulo primes. These proofs explain the good behavior 
of certain parameters when using Montgomery or Edwards curves in the set- 
ting of the elliptic curve method (ECM) for integer factorization. The ideas 
of the proofs help us to find new families of elliptic curves with good division 
properties which increase the success probability of ECM. 



1. Introduction 

The elliptic curve method (ECM) for integer factorization [T3] is the asymptot- 
ically fastest method for finding relatively small factors p of large integers TV. In 
practice, ECM is used, on the one hand, to factor large integers. For instance, the 
current ECM-record is a 241-bit factor of 2"**^ - 1 [9.. On the other hand, ECM 
is used to factor many small (100 to 200 bits) integers as part of the number field 
sieve [T?l IT51 [^. the most efficient general purpose integer factorization method. 

Traditionally, the elliptic curve arithmetic used in ECM is implemented using 
Montgomery curves [T7| (e.g., in the widely-used GMP-ECM software PS])- Gen- 
eralizing the work of Euler and Gauss, Edwards introduced a new normal form 
for elliptic curves |12) which results in a fast realization of the elliptic curve group 
operation in practice. These Edwards curves have been generalized by Bernstein 
and Lange |7j for usage in cryptography. Bernstein et al. explored the possibility 
to use these curves in the ECM setting [6,. After Hisil et al. [13 published a coor- 
dinate system which results in the fastest known realization of curve arithmetic, a 
follow-up paper by Bernstein et al. discusses the usage of the so-called "a — — 1" 
twisted Edwards curves [5j in ECM. 

It is common to construct or search for curves which have favorable properties. 
The success of ECM depends on the smoothness of the cardinality of the curve con- 
sidered modulo the unknown prime divisor p of N. This usually means constructing 
curves with large torsion group over Q or finding curves such that the order of the 
elliptic curve, when considered modulo a family of primes, is always divisible by an 
additional factor. Examples are the Suyama construction |23| . the curves proposed 
by Atkin and Morain p^, a translation of these techniques to Edwards curves [6 , ,5j, 
and a family of curves suitable for Cunningham numbers |10| . 
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In this paper we study and prove divisibility properties of the cardinahty of 
elliptic curves over prime fields. We do this by studying properties of Galois groups 
of torsion points using Chebotarev's theorem [18 . Furthermore, we investigate 
some elliptic curve parameters for which ECM finds exceptionally many primes in 
practice, but which do not fit in any of the known cases of good torsion properties. 
We prove this behavior and provide parametrizations for families of elliptic curves 
with these properties. 

2. Galois properties of torsion points of elliptic curves 

In this section we give a systematic way to compute the probability that the order 
of a given elliptic curve reduced by an arbitrary prime is divisible by a certain prime 
power. 

2.1. Torsion Properties of Elliptic Curves. 

Definition 2.1. Let i^T be a finite Galois extension of Q, p a prime and p a prime 
ideal above p with residue field fcp. The decomposition group Dec(p) of p is the 
subgroup of G&\{K) which stabilizes p. Call a'^f) the canonical morphism from 
Dec(p) to Gal(/cp/Fj,) and let 0p be the Frobenius automorphism on the field fcp. 
We define Frobenius(p) = Up|p('^^''^)~^('^p)- 

In order to state Chebotarev's theorem we say that a set S of primes admits a 
natural density equal to 5 and write P(S') = 5 ii limTv^oo '^^'^^^n^^^ exists and 
equals 5, where n(A^) is the set of primes up to N . If event(p) is a property which 
can be defined for all primes except a finite set (thus of null density), when we note 
P(event(p)) we tacitly exclude the primes where event(j5) cannot be defined. 

Theorem 2.2 (Chebotarev, jTH]). Let K he a finite Galois extension of Q. Let 
H C Gal{K) be a conjugacy class. Then 

P(Frobenius(p)=i7)^^||^. 

Before applying Chebotarev's theorem to the case of elliptic curves, we introduce 
some notation. For every elliptic curve E over a field F and all m G N, m > 2, 
we consider the field F{E[m]) which is the smallest extension of F containing all 
the m-torsion of E. The next result is classical, but we present its proof for the 
intuition it brings. 

Proposition 2.3. For every integer m > 2 and any elliptic curve E over some 
field F , the following holds: 

(1) F{E[m])/F is a Galois extension; 

(2) there is an infective morphism l„i : Ga\{F [E[m]) / F) ^ Axit{E[F)[m\). 

Proof. (1) Since the addition law of E can be expressed by rational functions over 
F, there exist polynomials fm,gm G F[X, Y] such that the coordinates of the points 
in E{F)[m] are the solutions of the system (/„ = 0,gm — 0). Therefore F{E[m]) 
is the splitting field of Resx(/m, ffm) and Resy(/m, gm) and in particular is Galois. 
(2) For each a £ Ga,\{F{E[m])/ F) we call Lm{o') the application which sends (x, y) e 
E{F)[m] into {a{x),(j{y)). Thanks to the discussion above, tm(cr) sends points of 
E{F)[m] in E{F)[m\. Since the addition law can be expressed by rational functions 
over F, for each a, Lm{o') G Aut{E{F)[m]). One easily checks that is a group 
morphism and its kernel is the identity. □ 
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Notation 2.4. We fix generators for E(Q)[m\, thereby inducing an isomorphism 
ipm '■ Aut(£'(Q)[m]) -> GL2(Z/toZ). Let be the injection given by Proposi- 
tion [23] We call p„ : Gal{F{E[m])/F) ^ GL2(Z/toZ) the injective morphism 

Let p be a prime such that E has good reduction at p and p \ m. Let be 
the injection of Ga.\{¥p{E[m]) /¥p) into AvLi{E(¥p)[m]) given by Proposition 2.3 



By pr, Prop. Vn.3.1] there is a canonical isomorphism r™'' from Aut(i?(Q)[m]) to 
Aut(£'(Fp)[m]) for each prime ideal p over p. 

Remark 2.5. Note that # Gal{Q{E[m]) /Q) is bounded by # GL2(Z/toZ). For every 
prime tt, we have #GL2(Z/7rZ) = (tt — l)^(7r + 1)tt, and for every integer fc > 1, 
#GL2(Z/7r'=+iZ) = 7r4#GL2(Z/7r'=Z). 

Notation 2.6. For all g e GL2(Z/mZ) we put Fix(g) = {v & (Z/mZ)^ | g{v) = v}. 
Conjugation of g gives an isomorphic group of fixed elements. If we are interested 
only in the isomorphism class we use the notation Fix(C) where C is a set of conju- 
gated elements. We use analogous notations for Aut(£'(Q)[m]) and Aut{E{¥p)[m]). 

Theorem 2.7. Let E be an elliptic curve over Q and m > 2 be an integer. Put 
K = Q(i?[m]). Let T be a subgroup ofL/rriL x 'L/m'L. Then, 

(') P(^(r,)H T) = #fa^..4G^.lW0))|Fixto).n , 

(2) Let a,7i G N such that a < n and gcd(a,n) = 1 and let be a primitive 
nth root of unity. Put Ga = {(J e Gal(/-i:(C„)/Q) | cr(Cn) = O- Then: 



P(£;(Fp)[m] ~ T I p = a mod n) = 



#{<7 e Ga I Fix(p„(a|K)) ~ T} 



Proof. (1) Let p -j" m be a prime for which E has good reduction and let p be a prime 
ideal of K over p. We abbreviate H ^ {a e Gal(iv:/Q) | Fix(t„(cr)) ~ T}. First 

note that E{Vp)[m] = Fix(t^^^((/)p)) where 0^ is the Frobenius in Gal(Fp(£;H)/Fp). 
Since the diagram 

Deep ^Gal(Q(£[m])/Q) '"" > Aut(£'(Q)H) 

Gal(fcp/Fp) Gal(Fp(£;[m])/Fp) CJ:^ Aut(£;(Fp)[m]) 

is commutative and since Frobenius(p) C Ga\{K/'Q) is the conjugacy class gener- 
ated by (a^''')~-^((/ip) we have i?(Fj,)[TO] ~ Fix(im(Frobenius(p))). 

Decompose H into a disjoint union of conjugacy classes Ci,...,CAr. Then 
Fix(/,m(Frobenius(p))) ~ T is equivalent to Frobenius(p) being one of the Ci. 
Thanks to Theorem 12.21 we obtain: 

N N 

P(£;(Fp)H ~ T) = ^P(Frobenius(p) = d) = 

i=l 

(2) Using similar arguments as in (1) we have to evaluate 

P(Frobenius(p) S {Ci, . . . , Cn},P = a mod n) 



; a mod n) 

Let p be a prime and p a prime ideal as in the first part of the proof, and let 
^ be a prime ideal of if(Cn) lying over p. Furthermore let Ci,...,Cfj be the 
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conjugacy classes of Gal{K{Cn)/Q) that are in the pre-miages of Ci, . . . , Cn and 
whose elements a satisfy a{Cn) = Cn- Since Gal(_ft'(C„)/Q) maps Cn to primitive 
nth roots of unity we have for a € (a'^^'')~^(0(p) that a{(n) = Cn holds for some 
b. Together with (j{x) = mod *p we get C^ = Cn mod Cp. If we exclude the 
finitely many primes dividing the norms of Cfi — 1 for c=1,...,7t, — Iwe obtain 
b = p mod n. Since Frobenius(-ftr(Cn),p); the Frobenius conjugacy class for ii'(Cn), 
is the pre-image of Frobenius(p), we get with the argument above P (Frobenius (p) € 
{Ci, . . . ,Cn},p = a mod n) = P(Frobenius(if (Cn),p) G {Ci, . . . ,Cfj}). A similar 
consideration for the denominator V{p = a mod n) completes the proof. □ 

Remark 2.8. Put K = Q{E[m]). If [K{Cn) ■ Q(C«)] = [K : Q], then one has 
P(£'(Fp)[m] ~ T I p = a mod n) = V{E{¥p)[m] ~ T) for a coprime to n. Indeed, 
according to Galois theory, Gal{K{Cn)/Q)/ Gal{K{Cn)/K) ~ Gal(K/q) through 
a ^ a\K- Since [X(Cn) : Q(Cn)] = [i^ : Q], we have [K{Ca) : K] = ^{n) and 
therefore each element a of Ga\{K/'Q) extends in exactly one way to an element of 
Gal(i4r(Cn)/Q) which satisfies o'(Cn) ~ Cn- Note that for n £ {3,4} the condition is 
equivalent to Cn ^ K. 

The families constructed by Brier and Clavier |p^, which are dedicated to in- 
tegers A'^ such that the nth cyclotomic polynomial has roots modulo N, modify 
[K{(n) '■ Q(Cn)] by imposing a large torsion subgroup over Q(Cn)- 

An important particular case of Theorem |2.7|is as follows: 



Corollary 2.9. Let E be an elliptic curve and it be a prime number. Then, 

#{g e p,(Gal(Q(i?[7r])/Q)) | det(g - Id) = 0,.g ^ Id} 



#Gal(Q(i?[^])/Q) 
1 



P(S(Fp)[7r] ~ Z/ttZ) 
P(£:(Fp)[7r] ~ Z/ttZ X Z/ttZ) 

jf Gal 

Example 2.10. Let us compute these probabilities for the curves Ei : = 
x'^ + + 7 and E2 — — llx + 14 and the primes vr = 3 and tt = 5. 

Here Ei illustrates the generic case, whereas E2 has special Galois groups. One 
checks with Sage [22 that [Q(£^i[3]) : Q] = 48 and # GL2(Z/3Z) = 48. By Proposi- 
tionOwe deduce that p3(Gal(Q(i;i[3])/Q)) = GL2(Z/3Z). A simple computation 



shows that GL2( Z/3Z ) contains 21 elements having 1 as eigenvalue, one of which 



is Id. Corollary |2.9| gives the following probabilities: P(S(Fp)[3] Z/3Z) = |§ 
and P(£'(Fp)[3] ~ Z/3Z x Z/3Z) = ^. We used the same method for all the 
probabilities of Table [T] where we compare them to experimental values. 

Note that the relative difference between theoretical and experimental values 
never exceeds 0.4%. It is interesting to observe that reducing the Galois group does 
not necessarily increase the probabilities, as it is shown for tt = 3. 

2.2. Effective Computations of Q(£'H) and p.miGa\{Q{E[m\) /Q)). The main 
tools are the division polynomials as defined below. 

Definition 2.11. Let E : = x^ + ax + bhe an elliptic curve over Q and m > 2 an 
integer. The m-division polynomial is defined as the monic polynomial whose 
roots are the ^-coordinates of all the m-torsion affine points. is defined as the 

monic polynomial whose roots are the a;-coordinates of the affine points of order 
exactly m. 

Proposition 2.12. For all m > 2 we have: 
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El 


E2 


#GL2(Z/3Z) 


48 


#Gal(Q(£;[3])/Q) 


48 


16 


P(£:(F„)[31 ~ Z/3Z X Z/3Z) 

Exp. 


^ w 0.02083 
0.02082 


= 0.0625 
0.06245 


P(i;(Fp)[3] ~Z/3Z) 


§ w 0.4167 
0.4165 


j| = 0.2500 
0.2501 


#GL2(Z/5Z) 


480 


#Gal(Q(£;[5])/Q) 


480 


32 


P(i;(Fp)[5]~Z/5ZxZ/5Z) 

Exp. 


« 0.002083 
0.002091 


^ = 0.03125 
0.03123 


P(S(Fp)[5] ~Z/5Z) 


it = 0-2375 
0.2373 


II 0.3125 
0.3125 



Tab le 1 . Comparison of the theoretical values (Th) of Corollary 
2.9 to the experimental results of all primes below 2^^ (Exp). 



(1) P,r.,P,';r €Q[X]; 

(2) deg(P„j) — illLit^iiiM ^ where rj is the remainder of m modulo 2. 

Proof. For a proof we refer to |S]. □ 

Note that one obtains different division polynomials for other shapes of elliptic 
curves (Weierstrass, Montgomery, Edwards, etc.). Nevertheless, the Galois group 
Gal{Q{E[m]) /Q) is model independent and can be computed with the division 
polynomials of Definition |2.11| as, in characteristic different from 2 and 3, every 
curve can be written in short Weierstrass form. 

One can compute Q{E[tt]) for any prime tt > 3 using the following method: 

1. Make a first extension of Q through an irreducible factor of P^^ and obtain a 
number field Fi where P^- has a root ai. 

2. Let /2(y) ~ y'^ — (al + aai+b) £ Fi[y] and F2 be the extension of Fi through /2. 
F2 contains a 7r-torsion point Mi. In F2, P-^ has ^^^^ trivial roots representing 
the X coordinates of the multiples of Mi . 

3. Call F3 the extension of F2 through an irreducible factor of G F2[x\ other 
than those corresponding to the trivial roots. 

4. Let Q!2 be the new root of P^r in P3. Let fii{y) — y^ — {a^ + ^^^2 + b) £ F^ly] and 
F4 be the extension of P3 through /4. P4 contains all the 7r-torsion. 

In practice we observe that in general P^-, /2, P^^^^ and /4 are irreducible, where 
Ptt ^ is Ptt divided by the factors corr espon ding to the trivial roots. If this is the 



case, as deg(P7r) = '^2^ (Proposition 2.121, the absolute degree of P4 is 



2 



2 • ^^4^ • 2 = (tt - l)^(7r + l)7r. According to Remark 2.5 #GL2(Z/7rZ) = (tt - 
l)2(7r + l)7r, thus p^(Gal(Q(i;[7r])/Q)) = GL2(Z/7rZ). The case of composite m 
can be handled in a similar way by replacing P^- by P,"°" in the method above, and 
experiments show that in general pm(Gal(Q(P[TO])/Q)) = GL2(Z/mZ). 

Serre j2U] proved that the observation above is almost always true. The next 
theorem is a restatement of items (1) and (6) in the introduction of |20| . 
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Theorem 2.13 (Serre). Let E be an elliptic curve without complex multiplication. 

(1) For all primes t: and k > 1 the index [GL2{Z/tt''Z) : p^k{Ga.l{Q{E[Tr''])/Q))] 
is non- decreasing and bounded by a constant depending on E and n. 

(2) For all primes tt outside a finite set depending on E and for all k > 1, 
p,.(Gal(Q(i;[7r'=])/Q) = GUiZ/n'^Z). 

Definition 2.14. Put I{E,TT,k) = [GL2(Z/7r'=Z) : p^fc(Gal(Q(i;[7r'^])/Q))]. If 
E does not admit complex multiplication, we call Serre's exponent the integer 
n{E, tt) = min{n € N* | Vfc > n, I{E, tt, fc + 1) = I{E, tt, fc)}. 

The method described above allows us to compute Q(i?[r7i]) as an extension 
tower. Then it is easy to obtain its absolute degree and a primitive element. Iden- 
tifying /9,r(Gal(Q(-E[m])/Q)) (up to conjugacy) is easy when there is only one sub- 
group (up to conjugacy) of GL2(Z/r7iZ) with the right order. In the other case 
we check for each g e GL2(Z/mZ) using the fixed generators of i?(Q)[m] whether 
g gives rise to an automorphism on Q(i?[m]). In practice, the bottleneck of this 
method is the factorization of polynomials with coefficients over number fields. 

2.3. Divisibility by a prime power. It is a common fact that, for a given prime 
TT, the cardinality of an arbitrary elliptic curve over Fp has a larger probability to 
be divisible by vr than an arbitrary integer of size p. In this subsection we shall 
rigorously compute those probabilities under some hypothesis of generality. 

Notation 2.15. Let tt be a prime and i, j, fc G N such that i < j. We put: 

P^Ahj) = P{E{^p)[^'] - X Z/tt^Z). 

Let i < mhe integers. When it is defined we denote: 

p^,kii,rn\i,j) = V{E{¥p)[tt''+^] ~ Z/tt^Z x Z/tt^Z | Epiir''] ~ Z/n'Z x Z/tt^Z). 
When it is clear from the context, tt is omitted. 

Remark 2.16. Since for every natural number m and every prime p coprime to m, 
E(¥p)[m] C Z/toZ X Z/mZ, we have PTT,k{hj) = for j > fc. In the case j < k, if 
P-K,k{,(-,iTL I i,i) is defined, it equals 1 if {£,m) — and equals if {i,m) ^ («, j)- 
Finally, for j = fc, there are only three conditional probabilities which can be non- 
zero: _P7r,fc(i, I fc), P7r,fc(«, fc + 1 I «, fc), and PT,,k[k -I- 1, fc -I- 1 | fc, fc). 

Theorem 2.17. Let tt be a prime and E an elliptic curve over Q. If k is an integer 
such that I{E, tt, fc+1) = I{E, tt, fc), in particular if E has no complex multiplication 
and fc > n{E, tt), then for all < i < k we have: 

(1) p^,fe(fc + l,fc + l I fc,fc) - 

(2) p^,k{k,k + l\k,k)^ ^^-'^^:+'~>' ; 

(3) p^Ahk + l\ i,fc) = 

Proof. Let M = (Z/Tr'^'Z)^. For all g e GL2(7rM), we consider the set Lift(g) = 

{h e GL2(Af) I h\^M ^ g] = {g + T^''^^ \ a,b,c,de Z/ttZ}, whose cardinality 

isTT* Si,nre T(E tt k^}') - T(E tt k^ we have # Gal(Q(g[7r'-])/Q) _ ^^GMZ/^Z) 
iSTT . bmce J(,£/,7r, K+ij - i[Ji.,TT, H), we nave ^Gai(Q(£;[7r'=+i])/Q) - #GL^p7^ 



which equals ^ by Remark 2.5 So for all g e p^t (Gal(Q(i;[7r'=])/Q)), Lift(5) C 



p^k+i{Gal{Q{E[TT''+^])/Q)). Thanks to Theorem 2.7 the proof will follow if we 



count for each g the number of extensions with a given fixed group. 
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(1) For g = Id e (Gal(Q(-B[7r'=])/Q), there is only one element of Lift(5) 
fixing (Z/7r'=+iZ)2, so p^,fc(fc + l,k + I \ k,k) = 

(2) The element .g = Id G p^fc (Gal(Q(£:[7r'=])/Q), can be extended in ex- 
actly TT^ — 1 — 7^GL2(Z/7rZ) ways to elements in GL2(Z/7r*''+^Z) which 
fix the Tr'^-torsion, a point of order 7r'°+^, but not all the 7r*''+^-torsion. So 

p,,fc(fc,fc + i I k,k) = 

(3) Every element of GL2 (2/77*^2) which fixes a line, but is not the identity, 
can be extended in exactly tt^ ways to an element of GL2(Z/7r'^"'"^Z) which 
fixes a line of {Z/7r''+^Z)^ . Sop^,fe(i,fc + 1 | i,fc) = ^ = i. 

□ 



The theorem below uses the information on Gal(Q(£;[7r"(^''^)])/Q) for a given 
prime tt in order to compute the probabilities of divisibility by any power of tt. 

h 

Notation 2.18. Let tt be a prime and jn{h) = tt" 7r^p„(^, n). We also define 



'LIJ 



I otherwise ' — ' 



Theorem 2.19. Let t: be a prime, E an elliptic curve over Q without complex 
multiplication and n > n{E,TT). Then, for any k>l, 

( %P tfl<k<n, 
P(7r'= I #S(Fp)) = J ^i-fn{k -n-l) + Sk{k - n)) if n < k < 2n, 

Let be the average valuation of tt of ^E{¥p) for an arbitrary prime p. Then, 



n— 1 n— 1 n— 2n— 1 



= 2^Pl,{^,^)^ ^Vp„(£,n) + 'V V p^{l,i)+ pn{n,n). 

e=i £=0 £=0 i=e+i ^ ' 

Proof. Let A: be a positive integer. Using Figure [l] one checks that 

LIJ 

(1) P(7r^ I #E{¥p)) = k-£)+ S{k). 

£=0 

Let ci = C2 = (ti- iKj+i) ^ and C3 ~ ^. With these notations, the hypothesis 
can be illustrated by Figure [l] For j > n and i < n, the probability pj{£,j) is 
the product of the conditional probabilities of the unique path from {£, j) to (£, n) 
in the graph of Figure [T| times the probability p„ {£, n) . For j > n and i > n, the 
probability pj (^, j) is the product of the conditional probabilities of the unique path 
from {i,j) to (n, n) in the graph of Figure [l] times the probability Pn{n, n). 

There are 3 cases that have to be treated separately: l<k<n, n<k<2n 
and k > 2n. For I < k < n, the result follows from Equation Let us explain 
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#E(Fp; 



Cl,,' 



TT^i 1 #E{Fp) 




> 


' cT ' 


C3' 


n - 2 


2,2 




C3 


C3' 


I'l 


1,2 




C3 


C3' 


o'o o'l 


0*2 


cT 


' cT ' 


C3' 



Figure 1. Each node of coordinates represents the event 

[Eplir^] ~ Z/tt'Z X Z/tt^Z) . The arrows represent the conditional 
probabilities of Theorem |2.17[ 

the case for k > 2n, with k — 2i: 

i i 

¥{tt^' I #^(Fp)) = ^P2.-£(^, 2i-£) + 5{2i) = Y,p2^^i{l, 2i ~ i) 



^=0 
rt-l 



P2,-K^, 2i - I) +Y,P2^~e{^, 2i~£)+ p,{i, i) 

£=0 i=n 
n—1 i—1 



2i-2;-l„ J-n 



C2C1 >„(n,n)+4 >„(n,n). 



After computations, one obtains the desired formula. The cases k > 2n odd, 
and n < k < 2n are treated similarly. The formula for is obtained using 



fc>i ' 



□ 



Remark 2.20. The theorem proves in particular that there exists a bound B such 
that for primes tt > B, P(7r^ | ^E{¥p)) < so the probability that the cardinality 
is divisible by the square of a prime greater than B is at most -g . This confirms the 
experimental result that an elliptic curve is close to a cyclic group when reduced 
modulo an arbitrary prime, regardless on its rank over Q. 

Example 2.21. Let us compare the theoretical and experimental average valuation 
of TT = 2, TT = 3 and tt — 5 for the cur ves E i : y'^ = + 5x + 7 and E2 — 
a;"^ — lla;+14. For Ei, we apply Theorem 2.19 with n = 1 and compute the necessary 



probabilities with Corollary |2.9| knowing that the Galois groups are isomorphic to 
GL2(Z/7rZ). For E2., we apply Theorem [2I9] with n 
and n = 1 for tt 
(when n = 1) and Theorem 2.7 



In order to apply Theorem 



5 for TT = 2, n = 2 for TT = 3 
5 and compute the necessary probabilities with Corollary |2.9| 
when n > 2. The results are shown in Table |2] 
2.19[ we need n > n{E,n). But since we do not 



know any algorithm to compute n(E,7r), we have to assume that our guesses for 
n{Ei,'!T), i = 1,2, are true. The relative error for E2 and tt = 5 is large compared 
to others cases, which can be explained by the fact that we were unable to compute 
Gal(Q(£;2[25])/Q) and cannot be sure that n(£'2,5) = 1. 
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A 

n 


Lverage valuatioi 
Th. 


1 of 2 
Exp. 


A 
n 


verage valuatio 
Th. 


n of 3 
Exp. 


n 


Lverage valuatioi 
Th. 


1 of 5 
Exp. 


El 


1 


f « 1.556 


1.555 


1 


^ « 0.680 


0.679 


1 


H « 0.302 


0.301 


E2 


5 


W «^ 3.518 


3.499 


2 


if « 0.518 


0.516 


1 


fi « 0.462 


0.469 



Table 2. Experimental values (Exp.) are obtained with all pri mes 
below 2^^. Theoretical values (Th.) come from Theorem 2.19 



3. Applications to some Families of Elliptic Curves 

As shown in the preceding section, changing the torsion properties is equivalent 
to modifying the Galois group. One can see the fact of imposing rational torsion 
points as a way of modifying the Galois group. In this section we change the Galois 
group either by splitting the division polynomials or by imposing some equations 
that directly modify the Galois group. With these ideas, we find new infinite ECM- 
friendly families and we explain the properties of some known curves. 

3.1. Preliminaries on Montgomery and Twisted Edwards Curves. Let K 

be a field whose characteristic is neither 2 nor 3. 

3.1.1. Edwards curves. For a,d & K, with ad{a — d) 7^ 0. the twisted Edwards 
curve ax^ + = 1 + dx^y^ is denoted by Ea^d- The "a = —1" twisted Edwards 
curves are denoted by Ed- In [6 completed twisted Edwards curves are defined by 

E^^^ = {{{X : Z), {Y : T)) e x | aX'^T^ + Y'^ Z"^ = Z'^T'^ + dX'^Y'^}. 

The completed points are the affine (x, y) embedded into P^ x P^ by (x, y) 
{(x : 1), (y : 1)) (see [6J for more information). We denote (1 : 0) by 00. 

We give an overview of all the 2- and 4-torsion and some 8-torsion points on 
Ea^d, as specified in [6_, in Figure [2] 

3.1.2. Montgomery curves and Suyama family. Let A, B G K be such that B{A^ — 
4) 7^ 0. The Montgomery curve By^ = +Ax'^ + x associated to {A, B) is denoted 
by Ma.b (see [T7]) and its completion in P^ by Ma.b- 

Remark 3.1. If a,d,A,B € K are such that d ~ and a = ^^g^, then there is 
a birational map between Ea^d and M^b given by {{x : z), {y : t)) 1— > ((< + y)x : 
{t+y)z : {t—y)x) (see U). Therefore M a,b and Ea^d have the same group structure 
over any field where defined and in particular the same torsion properties. Any 
statement in twisted Edwards language can be easily translated into Montgomery 
coordinates and vice versa. 

A Montgomery curve for which there exist 2:3, ya, fc, x^o, yoc G Q such that 

-P3(a;3) = 0, Byl = xl + Axl + X3 (3-torsion point) 

, ys ,9 x'i + Ax\ + a;3 . . 

k — , k — — (non-torsion point) 

Uco ^00 ^~ Ax^ -\- Xq^ 

Xoo — 2^3- (Suyama equation) 

is called a Suyama curve. As described in |23) |24] . the solutions of ([2| can be 
parametrized by a rational value denoted a. For all a G Q\{0, ±1, ±3, ±5, ±|}, 
the associated Suyama curve has positive rank and a rational point of order 3. 
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1-torsion 




1 8-torsion 



Figure 2. An overview of all 1-, 2- and 4-torsion and some 8- 
torsion points on twisted Edwards curves. The xg and Xs in the 
8-torsion points are such that adx^ — 2axl + 1 = and adxg — 
2dxl + 1 = 0. 



Remark 3.2. In the following, when we say that an elliptic curve Ea,d has good 
reduction modulo a prime p, we also suppose that we have Vp{a) — Vp{d) = Vp[a — 
d) = (resp. Vp{A — 2) = Vp{A + 2) = Vp{B) = for a Montgomery curve). In 
this case the reduction map is simply given by reducing the coefficients modulo p. 
The results below are also true for primes of good reduction which do not satisfy 
these conditions, by slightly modifying the statements and the proofs. Moreover, 
in ECM, if the conditions are not satisfied, we immediately find the factor p. 



3.2. Study of the 2'^-Torsion of Montgomery/Twisted Edwards Curves. 

The rational torsion of a Montgomery/twisted Edwards curve is Z/2Z but it is 
known that 4 divides the order of the curve when reduced modulo any prime p [23\ . 
The following theorem gives more detail on the 2 '^-torsion. 

Theorem 3.3. Let E ~ Ea^a &e o, twisted Edwards curve (resp. a Montgomery 
curve Ma,b ) over Q. Let p he a prime such that E has good reduction at p. 

(1) If p ^ 3 (mod 4) and ^ (resp. A^—A) is a quadratic residue modulo p, then 
£:(Fp)[4] ~ Z/2Z X Z/4Z; 

(2) If p = 1 (mod 4), a (resp. is a quadratic residue modulo p (in par- 
ticular a — ±\) and ^ (resp. A^ — A) is a quadratic residue modulo p, then 
Z/2Z X Z/4Z C E{Vp)[A]; 

(3) If p = 1 (mod 4), I (resp. A^ — A) is a quadratic non-residue modulo p and 
a ~ d (resp. B) is a quadratic residue modulo p, then E{¥p)[S] ~ 'L/S'L. 



Proof. Using Remark |3.1| it is enough to prove the results in the Edwards language, 
which follow by some calculations using Figure |2] □ 



Theorem 3.3 suggests that by imposing equations on the parameters a and d we 
can improve the torsion properties. The case where g is a square has been studied 
in [3] and [5j for the family of Edwards curves having Z/2Z x Z/8Z (when a = 1) 
respectively Z/2Z x Z/4Z (when a — —1) rational torsion. Here we focus on two 
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other equations: 

(3) 3c e Q, a = —(? (A + 2 = —Bc^ for Montgomery curves), 

(4) 3c e Q, a — d = (? {B ~ (? for Montgomery curves). 

We were not able to compute the generic Galois group of the m-torsion for a 
family of curves, i.e., a group that is isomorphic to the Galois group for "most" of 
the curves of the family (here "most" is meant in the sense that most polynomials 
of degree d have Galois group Sd)- But we can compute this Galois group for every 
elliptic curve. So when we talk about the Galois group of a family of curves, we 
mean that we computed the Galois group for some curves of this family and that 
the Galois group was always the same (up to conjugacy), so the curves have the 
same probabilities. 

The cardinality of the Galois group of the 4-torsion for generic Montgomery 
curves is 16 and this is reduced to 8 for the family of curves satisfying ([s]). Using 
Theorem |2.7| we can compute the changes of probabilities due to this new Galois 
group. For all curves satisfying (|3| and all primes p = \ (mod 4), the probability 
of having 'L/i'L x Z/2Z as the 4-torsion group becomes (instead of |); the prob- 
abilities of having Z/2Z x Z/4Z and Z/4Z x Z/4Z as the 4-torsion group become 
I (instead of |). 

The Galois group of the 8-torsion of the family of curves satisfying Q has 
cardinality 128 instead of 256 for generic Montgomery curves. Using Theorem |2.7| 
one can see that the probabilities of having an 8-torsion point are improved. 

Using Theorem |2.19| one can show that both families of curves, the family satisfy- 
ing ([3]) and the one satisfying Q , increase the probability of having the cardinality 
divisible by 8 from 62.5% to 75% and the average valuation of 2 from -y to -y. 

3.3. Better Twisted Edwards Curves with Torsion Z/2Z x Z/4Z using Di- 
vision Polynomials. In this section we search for curves such that some of the 
factors of the division polynomials split and by doing so we try to change the Galois 
groups. As an example we consider the family of a = — 1 twisted Edwards curves Ed 
with Z/2Z X Z/4Z-torsion, these curves are exactly the ones with d = — (see ^). 
The technique might be used in any context. 

3.3.1. Looking for subfamilies. For a generic d, p^™ splits into three irreducible 
factors: two of degree 4 and one of degree 16. If one takes d = —e^, the polynomial 
of degree 16 splits into three factors: two of degree 4, called Pg and Ps^i, and one 
of degree 8, called Ps,2- By trying to force one of these three polynomials to split, 
we found four families, as shown in Table [3] 



In all these families the generic average valuation of 2 is increased by ^ ( 



29 

^ 6 6 

instead of ^), except the family e = for which it is increased by |, bringing 
it to the same valuation as for the family of twisted Edwards curves with a = 1 
and torsion isomorphic to Z/2Z x Z/8Z. Note that these four families cover all the 
curves presented in the first three columns of [5, Table 3.1], except the two curves 
with e = ^ and e — which have a generic Galois group for the 8-torsion. 

3.3.2. The family e = this section, we study in more details the family 



2 

9 ' 



2 . Theorem 



2.7 



proofs that the group order modulo all primes is divisible 
by 16. In order to gain more intuition, we give an alternative proof. We need the 
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Ps.i 


-f8,2 


generic e 


4 


4 


8 


e = 5^ 


4 


4 


4,4 


23+1 


4 


4 


4,4 


e= 2! 


to to 


4 

2,2 


8 
8 



Table 3. Subfamilies of twisted Edwards curves with torsion 
group isomorphic to Z/2Z x Z/4Z and the degrees of the irre- 
ducible factors of Ps,o, Ps,! and Ps,2- 



following theorem which computes the 8-torsion points that double to the 4-torsion 
points i±^^^d^,±^/^d^). 

Theorem 3.4. Let be a twisted Edwards curve over Q with d — , e = ^^-^ 
and g G Q \ { — 1, 0, 1}. Let p > i he a prime of good reduction. If t £ {1^—1} such 
that tg{g ~ l){g + 1) is a quadratic residue modulo p then the points {x,y) G Ed(¥p), 
with w G {1, —1}, and 



(5) X = ±g'^y, y = ±y 

have order eight and double to (±e^^,te^^). 



4tg2 



{g -tw)^{g + tw) 



Proof. Note that all points {x, y) of order eight satisfy 00 ^ x ^ i) ^ y ^ co. Fol- 
lowing ini Theorem 2.10] a point (x, doubles to ((2xy : 1 + dx'^y^). {x"^ + : 
1-dx'^y'^)) = {(2xy : -x'^ +y'^),{x'^ +y'^ : 2 - (-x^ + j/))). Let s,t G {1,-1} such 
that {x,y) doubles to (se^^,te~^), hence 

2xy s x^ + y"^ t 

— and — 



- e 2 — (— + y'^) e 

2 



From the terms in the first equation we obtain + + = 1 + e'^ . Write 

e — '^f- such that ^| -\- se^ — (^r^) • Hence | G |±5,±^| depending on 



the sign s and the sign after taking the square root. This gives x^ = G^y^ with 
G^£{g\g-^}. 

From the second equation we obtain (e — t)x'^ + (e + t)y^ — 2t and substi- 
tuting x'^ results in ((e - t)G'^ + {e + t)) ^ 2t. This can be solved for y when 
2t ((e — t)G^ + (e + t)) is a quadratic residue modulo p. This is equivalent to check- 
ing if any of 

(6) 2t((e-l),g^ + (e+l)) ^ <9 - DHs + D ^ 

(7) 2t((e-l) + (e+l)g^) = ^^'^ ' ^^^'^ + 

9 

is a quadratic residue modulo p. By assumption tg{g — l){g -I- 1) is a quadratic 
residue modulo p. Hence, both expression (|6| and ^ are quadratic residues modulo 
p. Solving for y and keeping track of all the signs results in the formulae in (Isl. □ 
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A direct consequence of this theorem is as follows. 



2 



Corollary 3.5. Let E = Ed he a twisted Edwards curve overQ with d = 

5 G Q \ {—1,0,1} and p > S a prime of good reduction. Then E(Q) has torsion 
group isomorphic to Z/2Z x Z/4Z and the group order of E(¥p) is divisible by 16. 

Proof. We consider two cases. 

(1) If p = 1 (mod 4) then —1 is a quadratic residue modulo p. Hence, the 4-torsion 
points (±i,0) exist (see Figure |2]) and 16 | #i?(Fp). 

(2) If p = 3 (mod 4) then —1 is a quadratic non-residue modulo p. Then exactly 
one of {g{g — l){g + 1), —g{g — l){g + 1)} is a quadratic residue modulo p. Using 



Thm. 3.4 it follows that the curve E{¥p) has eight 8-torsion points and hence 
16 I #Ei¥p). □ 



Corollary 3.5 explains the good behavior of the curve with d = —(11)^ and 



torsion group isomorphic to Z/2Z x Z/4Z found in [S]. This parameter can be 

expressed as d = —{^)'^ = — ( j for g = | and, therefore, the group order is 
divisible by an additional factor two. 

Corollary 3.6. Let g e Q \ {-1,0, 1}, d = - (^) and p = 1 (mod 4) be a 

prime of good reduction. If g(g — l){g + 1) is a quadratic residue modulo p then the 
group order of Ed(¥p) is divisible by 32. 



Proof. All 16 4-torsion points are in Ed{¥p) (see Figure |2|. By Thm. [sl] we have 



at least one 8-torsion point. Hence, 32 | ^Ed(¥p). □ 

We generated different values 5 € Q by setting <? = j with 1 < i < j < 200 such 
that gcd(i,j) = 1. This resulted in 12 231 possible values for g and Sage [22J found 
614 non-torsion points. As expected, we observed that they behave similarly as the 
good curve found in [S]. 

3.3.3. Parametrization. In |5] a "generating curve" is specified which parametrizes 
d and the coordinates of the non-torsion points. Arithmetic on this curve can be 
used to generate an infinite family of twisted Edwards curves with torsion group 
isomorphic to Z/2Z x Z/4Z and a non-torsion point. Using ideas from [TD] we 
found a parametrization which does not involve a generating curve and hence no 
curve arithmetic. 

Theorem 3.7. Let t e Q\ {0, ±1} and d = -e^ , e = ^^^T^' = (^^^ + 

and yoo = ^^^gjirzg^- Then the twisted Edwards curve —x^ -\- ^ 1 -\- dx^y^ has 

torsion group Z/2Z x Z/4Z and (xoo,2/oo) is a non-torsion point. 

Proof. The twisted Edwards curve has torsion group Z/2Z x Z/4Z because d — —e'^ 
and e is not equal to and ±1. The point (xoc^oo) is on the curve and since 
a^oo ^ {0, 00, e~^, — e^^} this is a non-torsion point. □ 

This rational parametrization allowed us to impose additional conditions on the 
parameter e. For the four families, except e = g^ which is treated below, the 
parameter e is given by an elliptic curve of rank over Q. 
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Corollary 3.8. Let P = {x,y) be a non-torsion point on the ellip tic c urve y 



2 



— 36a; having rank 1. Let t — ^|ir|, using notations of Theorem 
E_f,i belongs to the family e = and has positive rank over ( 



5.7 



the curve 



3.4. Better Suyama Curves by a Direct Change of the Galois Group. In 

this section wc will present two families that change the Galois group of the 4- 
and 8-torsion without modifying the factorization pattern of the 4- and 8-division 
polynomial. 

3.4.1. Suyama-11. Kruppa observed in [IT that among the Suyama curves, the one 
corresponding to cr = 11 finds exceptionally many primes. Barbulescu ^ extended 
it to an infinite family that we present in detail here. 

Experiments show that the cr = 11 curve differs from other Suyama curves only 
by its probabilities to have a given 2'^-torsion when reduced modulo primes p = 1 
(mod 4). The reason is that the a = 11 curve satisfies Equation (|3|. Section 3.2 



illustrates the changes in probabilities of the ct = 11 curve when compared to curves 
which do not satisfy Equation ([3| and shows that Equation (|3| improves the average 
valuation of 2 from -y to 

Let us call Suyama-11 the set of Suyama curves which satisfy Equation 
When solving the system formed by Suyama's system plus Equation ^ , we obtain 
an elliptic parametrization for a. Given a point {u,v) on -Eo-n : v'^ = — — 
120m + 432, a is obtained as cr = T^^^ + 5- The group E^iiiQ) is generated by 
the points Poo = (-6,30), P2 = (-12,0) and Q2 = (4,0) of orders 00, 2 and 2 
respectively. We exclude 0, ±Poo, P2, Q2, P2 + Q2, and Q2 ± Poo, which are the 
points producing non-valid values of a. The points ±R, Q2 ± R lead to isomorphic 
curves. Note that the cr = 11 curve corresponds to the point (44, 280) — Poo + P2- 

3.4.2. Edwards Z/6Z.' Suyama-11 in disguise. In [5, Sec. 5] it is shown that the a = 
— 1 twisted Edwards curves with Z/6Z-torsion over Q are precisely the curves Ed 
with d — 1 u+Vj^ ^ where u is a rational parameter ^ In particular, according 
to f5^, Sec. 5.3] one can translate any Suyama curve in Edwards language and then 
impose the condition that —a is a square to obtain curves of the a = —1 type. 
Finally, |51 Sec. 5.5] points out that this family has exceptional torsion properties. 

In order to understand the properties of this family, we translate it back to 
Montgomery language using Remark |3.1| Thus, we are interested in Suyama curves 
which satisfy equation A + 2 = —Bc^ (the Montgomery equivalent for —a being a 
square). This is the Suyama-11 family, so its torsion properties were explained in 



Section 3.4.1 These two families have been discovered independently in [3 and [5j 



3.4.3. Suyama- J. In experiments by Zimmermann, new Suyama curves with excep- 
tional torsion properties were discovered, such as cr = |. Further experiments show 
that their special properties are related to the 2'^-torsion and concern exclusively 
primes p = 1 (mod 4). Indeed, the cr = | curve satisfies Equation Section 
3.2 illustrates the changes in probabilities of the cr = | curve when compared to 
curves which do not satisfy Equation ^ and shows that Equation Q improves the 
average valuation of 2 from ^ to ^ . 

Let us call Suyama- 1 the set of Suyama curves which satisfy Equation Q. When 
solving the system formed by Suyama's system plus Equation (|4|, we obtain an 

16u^(u^-ii+l) 
(u-l)6(u+l)2 



^There is a typo in tlie proof of ,5, Tlim. 5.1]; the j^^^.'^. misses a minus sign. 
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Families 


Curves 


n 


rerage valuatic 
Th. 


m of 2 
Exp. 


n 


/'erage valuatioi 
Th. 


1 of 3 
Exp. 


Suyama 


(7 = 12 


2 


f w 3.333 


3.331 


1 


II « 1.688 

16 


1.689 


Suyama-11 


cr = 11 


2 


^ « 3.667 


3.669 


1 


fl « 1.688 


1.687 


Suyama- 1 




3 


f w 3.667 


3.664 


1 


fl w 1.688 


1.687 


Z/2Z X Z/4Z 




3 


f « 4.667 


4.666 


1* 


^ « 0.680 


0.679 


^ 2 


E 

\ 36 j 


3 


f w 5.333 


5.332 


1* 


^ « 0.680 


0.679 


9 

e = g 




3 


f « 4.833 


4.833 


1* 


^ « 0.680 


0.680 


^ 2 




3 


f w 4.833 


4.831 


1* 


^ « 0.680 


0.679 


_ 2g^+2g+l 
^ 2g+l 




3 


f « 4.833 


4.833 


1* 


^ « 0.680 


0.679 



Table 4. Experimental values (Exp.) are obtained with all primes 
below 2^^. The case 71 = 1* means that the Galois group is iso- 
morphic to G'L2(Z/7rZ). 



elliptic parametrization for a. Given a point {u, v) on -Eo-94 '■ = — 5u, a is 
obtained as a = u. The group Ecg^{^) is generated by the points Poo = (^1:2) 
and P2 = (0, 0) of orders 00 and 2 respectively. We exclude the points 0, ±Pao, P2 
and P2 ± -Poo which produce non- valid values of a. If two points in E„^^ (Q) differ 
by P2 they correspond to isomorphic curves. We recognize the curve associated to 
(7=1 when considering the point ( | , — | ) = [2] Poo • 

3.5. Comparison. Table|4]gives a summary of all the families found in this article. 



The theoretical average valuations were computed with Theorem |2.19| Theorem 2.7 



and Corollary 2.9 under some assumptions on Serre's exponent (see Example 2.21 
for more information). 

Note that, when we impose torsion points over Q, the average valuation does 
not simply increase by 1, as can be seen in Table |4] for the average valuation of 3. 



4. Conclusion and further work 

We have used Galois theory in order to analyze the torsion properties of elliptic 
curves. We have determined the behavior of generic elliptic curves and explained the 
exceptional properties of some known curves (Edwards curves of torsion Z/2Z x 
Z/4Z and Z/6Z). The new techniques suggested by the theoretical study have 
helped us to find infinite families of curves having exceptional torsion properties. 
We list below some questions which were not addressed in this work: 

• Can one effectively compute Serre's exponent? 

• How does Serre's work relate to the independence of the m- and m'-torsion 
probabilities for coprime numbers m and to'? 

• Is there a model predicting the success probability of ECM from the prob- 
abilities given in Theorem |2l9}' 

• Is it possible to effectively use the Resolvent Method [TT] in order to com- 
pute equations which improve the torsion properties? 
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